CN116015830A - Data protection method and system based on symmetric key - Google Patents
Data protection method and system based on symmetric key Download PDFInfo
- Publication number
- CN116015830A CN116015830A CN202211639614.5A CN202211639614A CN116015830A CN 116015830 A CN116015830 A CN 116015830A CN 202211639614 A CN202211639614 A CN 202211639614A CN 116015830 A CN116015830 A CN 116015830A
- Authority
- CN
- China
- Prior art keywords
- message
- count value
- network element
- key
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a data protection method and a system based on a symmetric key, wherein the method applied to a first network element comprises the following steps: obtaining channel information, wherein the channel information comprises a first count value and a master control key; calculating based on the first count value and the master control key to obtain a session key; encrypting the transmission data through the session key to obtain a target ciphertext; acquiring a target ciphertext and a first count value as a first message and sending the first message to a second network element, so that the second network element receives the first message and decrypts the first message, and executing corresponding operation according to decrypted data, wherein the first message is successfully sent each time, and the preset period value is reduced by 1; judging whether the preset period value is 0, if so, re-acquiring the channel information, and resetting the preset period value to be a target value. The method and the device can improve the security of data transmission and can be applied to the field of data protection based on symmetric keys.
Description
Technical Field
The invention relates to the field of data protection based on symmetric keys, in particular to a data protection method and system based on symmetric keys.
Background
At present, a symmetric key is often used for data security protection, but in the long-time use process of a traditional symmetric key, the symmetric key is used for multiple times, so that the symmetric key cannot be updated in time, and is easy to break.
Disclosure of Invention
In view of the above, the embodiments of the present invention provide a data protection method and system based on symmetric key. The symmetric key can be updated in time, and the security of data transmission is improved.
The first aspect of the present invention provides a data protection method based on a symmetric key, which is applied to a first network element, and includes: obtaining channel information, wherein the channel information comprises a first count value and a master control key; calculating based on the first count value and the master control key to obtain a session key; encrypting the transmission data through the session key to obtain a target ciphertext; acquiring the target ciphertext and a first count value as a first message and sending the first message to a second network element, so that the second network element receives the first message and decrypts the first message, and executing corresponding operation according to decrypted data, wherein the first message is successfully sent each time, and the preset period value is reduced by 1; judging whether the preset period value is 0, if so, re-acquiring the channel information, and resetting the preset period value to be a target value.
According to some embodiments of the present invention, after the obtaining the target ciphertext and the first count value as the first message and sending the first message to the second network element, the method further includes: and adjusting the first count value, and adding 1 to the first count value.
Another aspect of the present invention provides a data protection method based on a symmetric key, applied to a second network element, including: and receiving and decrypting the first message sent by the first network element, and executing corresponding operation according to the decrypted data.
According to some embodiments of the present invention, the receiving and decrypting the first message sent by the first network element, and executing a corresponding operation according to the decrypted data, further includes: receiving a first message sent by a first network element, and calculating based on a master control key and a first count value in the first message to obtain a session key; and decrypting the target ciphertext in the first message through the session key, if the target ciphertext is successfully decrypted, acquiring a first count value and a second count value in the first message, and if the target ciphertext is successfully decrypted, executing corresponding operation according to the transmission data in the first message, and adding 1 to the second count value.
According to some embodiments of the invention, the decrypting the target ciphertext in the first message with the session key further includes: if decryption fails, judging whether the failure times are greater than a first threshold value, and if so, discarding the first message; if the first threshold is greater than or equal to the first threshold, performing a reset operation; or if the message is greater than or equal to the first threshold value, receiving the message and executing corresponding operation, wherein the message is sent by the first network element.
According to some embodiments of the invention, the obtaining the first count value and the second count value in the first packet for comparison further includes: discarding the first message if the first count value is smaller than the second count value; if the first count value is greater than or equal to the first count value, performing a reset operation; or, if the first count value is greater than or equal to the first count value, performing a retransmission operation.
Another aspect of the present invention provides a symmetric key-based data protection system, comprising: the first network element is used for acquiring channel information, wherein the channel information comprises a first count value and a master control key; calculating based on the first count value and the master control key to obtain a session key; encrypting the transmission data through the session key to obtain a target ciphertext; acquiring the target ciphertext and a first count value as a first message and sending the first message to a second network element, so that the second network element receives the first message and decrypts the first message, and executing corresponding operation according to decrypted data, wherein the first message is successfully sent each time, and the preset period value is reduced by 1; judging whether the preset period value is 0, if so, reselecting the channel information, and resetting the preset period value to be a target value. And the second network element is used for receiving the first message sent by the first network element, decrypting the first message and executing corresponding operation according to the decrypted data.
Another aspect of the invention provides an electronic device comprising a processor and a memory; the memory is used for storing programs; the processor executing the program implements the symmetric key based data protection method as described in any one of the above.
The electronic equipment provided by the embodiment of the invention has at least the same beneficial effects as the data protection method based on the symmetric key.
Another aspect of the present invention provides a computer-readable storage medium storing a program that is executed by a processor to implement the symmetric-key-based data-protection method described in any one of the above.
The computer readable storage medium according to an embodiment of the present invention has at least the same advantageous effects as the above-described symmetric key-based data protection method.
Embodiments of the present invention also disclose a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions may be read from a computer-readable storage medium by a processor of a computer device, and executed by the processor, to cause the computer device to perform the foregoing method.
According to the embodiment of the invention, the preset period value is set at the first network element, the preset period value is reduced by 1 after the first message is successfully sent to the second network element each time, the channel information is selected again when the channel information is reduced to 0, the preset period value is reset, the channel information comprises the first count value and the master control key, the session key can be obtained by calculation based on the first count value and the master control key, so that the session key is updated, the risk of the session key being broken is reduced, and the safety of data transmission is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a first flowchart of a symmetric key based data protection method according to an embodiment of the present invention;
FIG. 2 is a second flowchart of a symmetric key based data protection method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a symmetric key-based data protection system according to an embodiment of the present invention;
fig. 4 is a schematic block diagram of an apparatus of an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
Currently, for the use of symmetric keys, a set of symmetric keys is often used frequently, or the symmetric keys are manually replaced according to the needs of developers. However, the same set of symmetric keys can be used for a long time to enable the symmetric keys to be broken more easily, and artificial replacement is time-consuming and labor-consuming undoubtedly, so that the application provides a data protection method and system based on the symmetric keys, so that the symmetric keys can be replaced in time, the safety of data transmission is further ensured, and the method and system can be widely applied to the related fields of data protection.
Fig. 1 is a first flowchart of a symmetric key-based data protection method according to an embodiment of the present invention, which is applied to a first network element 310, and includes steps S110 to S150:
step S110, channel information is acquired, wherein the channel information comprises a first count value and a master key.
Specifically, the first network element 310 includes a terminal and a server, depending on which party performs the transmission operation. The first network element 310 selects a channel number acquisition channel, the first network element 310 and the second network element 320 interact through the channel, wherein the master control key is a symmetric key already agreed by the first network element 310 and the second network element 320, the information corresponding to the channel is channel information, wherein the first count value and the master control key contained in different channel information are different, and the first network element 310 acquires the channel information randomly, so that the risk of predicting which channel to select is further reduced.
Step S120, a session key is obtained by performing calculation based on the first count value and the master key.
Specifically, the session key is calculated and generated by using aes_ctr algorithm based on the current first count value and the master key, and it is to be noted that after the second network element 320 is sent once, the first count value is incremented by 1, and when the first network element 310 waits for continuing to transmit data, the session key is calculated by re-acquiring the first count value and the master key again, that is, each time the session key is different, so as to further protect the transmission security of the data.
And step S130, encrypting the transmission data through the session key to obtain the target ciphertext.
Specifically, the first network element 310 uses aes_gcm algorithm calculation with the session key to encrypt and protect the transmission interaction of the current transmission data, so as to obtain the target ciphertext, where it is to be noted that the specific content of the transmission data depends on the transmission type, and different transmission types distinguish different messages.
Step S140, the target ciphertext and the first count value are obtained and sent to the second network element 320 as the first message, so that the second network element 320 receives the first message and decrypts the first message, and performs a corresponding operation according to the decrypted data, wherein the preset period value is subtracted by 1 each time the first message is successfully sent.
Step S150, judging whether the preset period value is 0, if so, re-acquiring the channel information, and resetting the preset period value to be a target value.
Specifically, the first network element 310 splices the target ciphertext and the first count value as the first message and sends the first message to the second network element 320, in addition, the first message may further include a message check code for checking validity of the first network element 310 and the second network element 320, and further may further include a transmission type, for example, different transmission types are indicated by different data. The count value of the message header is calculated specifically as follows: the 10 bits of 0-9 bits in the header are the 10 bits of the count value truncated LSB. When the server or the terminal receives the message, the initial value of the timer is used for intercepting the first 22 bits and the 10 bits of the header to splice the first 22 bits and the 10 bits into a count value of 4 bytes. The initial value of the timer is cut off to see whether the carry is carried or not, and if the carry is carried, the complementary bit is needed to be calculated.
After the first network element 310 finishes sending the first message, it updates the configuration file, subtracts 1 from the preset period value, and determines whether the preset period value is equal to 0, if equal to 0, it randomly selects the channel number again and then selects the channel to obtain the channel information, that is, obtains a new first count value and the master key, and calculates to obtain a new session key. When the execution times of the set of session keys reach a preset period value, a new set of session keys are acquired again, so that the update of the session keys is completed, the session keys are more difficult to break, and the safety is improved. It should be noted that, the first network element 310 interacts with the second network element 320 through a channel, and the master key is a value agreed by both parties, so when the first network element 310 selects a new channel to obtain new channel information, and obtains a new master key, the second network element 320 also correspondingly obtains the new agreed master key. It is noted that after the channel is reselected, the preset period value is reset to the target value, that is, how many times the same set of session keys is performed in a new round of calculation is restarted, where the target value may be determined according to a priori knowledge, and may be a fixed value or a variable value.
In another embodiment, after the target ciphertext and the first count value are obtained as the first message and sent to the second network element 320, the method further includes: the first count value is adjusted and added by 1.
Specifically, after the first network element 310 completes sending the first message, the configuration file is updated, and the first count value is incremented by 1. When the first network element 310 sends the first message to the second network element 320 in the next round, the first count value and the master key are calculated again to obtain a new session key, which can be understood that even if the number of interactions between the first network element 310 and the second network element 320 does not reach the preset period value, the first count value is increased by 1 each time the first message is sent, so that a new session key is obtained again each time, thereby further updating the session key and ensuring the security of data transmission.
Referring to fig. 2, fig. 2 is a second flowchart of a symmetric key-based data protection method according to an embodiment of the present invention, which is applied to a second network element 320, and includes the following steps:
step S210, the first message sent by the first network element 310 is received and decrypted, and the corresponding operation is performed according to the decrypted data.
Specifically, after receiving the first message, decrypting the target ciphertext to obtain the transmission data therein, and executing the corresponding operation.
In another embodiment, after receiving the first message, decrypting the target ciphertext to obtain the transmission data therein, and executing the corresponding operation, including the following steps:
receiving a first message sent by a first network element 310, and calculating based on a master control key and a first count value in the first message to obtain a session key;
and decrypting the target ciphertext in the first message through the session key, if the decryption is successful, acquiring a first count value and a second count value in the first message, and if the first count value and the second count value are the same, executing corresponding operation according to the transmission data in the first message, and adding 1 to the second count value.
Specifically, the second network element 320 parses after receiving the first message, and calculates, using the aes_ctr algorithm, a session key based on the master key agreed with the first network element 310 and the first count value in the first message. The second network element 320 decrypts the target ciphertext by using the session key, and further, may also use the message check code MAC to check, if the decryption is successful and the check is successful, it indicates that the message is legal, and continuously compares the first count value in the first message with the second count value in the second network element 320, if the first count value is the same as the second count value in the second network element 320, it indicates that the first network element 310 successfully transmits data to the second network element 320, and the second network element 320 in the previous round obtains the operation corresponding to the successfully executed data, and the transmission and execution of the data are normal, so that the transmission data obtained after the decryption in the first message is responded, and the corresponding operation is executed based on the content of the transmission data, and the second count value is incremented by 1, which indicates that the operation is successfully executed.
Further, when decryption is performed by the session key and verification is performed by the message verification code, if decryption fails or verification fails, the number of failed times is obtained, and when the number of failed times is smaller than a first threshold, the first message is discarded, that is, the first network element 310 waits for the retransmission of the first message. If the failure number is greater than or equal to the first threshold, the second network element 320 performs a reset operation or performs a corresponding operation when receiving a message, specifically, when the first network element 310 is a terminal and the first network element 310 is a service end, the second network element 320 performs different operations, when the first network element 310 is a terminal and the second network element 320 is a service end, the service end performs a reset operation, when the first network element 310 is a service end and the second network element 320 is a terminal, the service end performs a reset operation when not receiving a response of the terminal for a long time, and the terminal waits for a message sent to the terminal when the service end performs the reset operation and performs a corresponding operation according to the content of the message.
Further, when comparing the first count value with the second count value, if the first count value is smaller than the second count value, the first message is discarded, and the first network element 310 waits for sending the next first message. For example, assume that the first network element 310 sends a first message to the second network element 320, the count value in the first message is a, after the sending is successful, the first count value in the first network element 310 is updated to a+1, and after the second network element 320 receives the first message and performs the corresponding operation, the second count value is updated to a+1. At this time, the first network element 310 has a problem, and repeatedly sends the first message including the first count value a to the second network element 320, but at this time, the second count value in the second network element 320 is a+1, which will cause the first count value to be smaller than the second count value, so that the second network element 320 will discard the message at this time, and wait for the next receiving of the first message for comparison again. If the first count value is greater than the second count value, a reset operation or a retransmission operation is performed, specifically, different operations are triggered based on the difference of the first network element 310, and if the first network element 310 is a terminal and the second network element 320 is a server, the server performs the reset operation. When the first network element 310 is a server and the second network element 320 is a terminal, the terminal performs a retransmission operation.
It should be noted that, in a specific embodiment, after checking or decrypting, or after comparing the first count value with the second count value, the specific device corresponding to the second network element 320 may perform a next interaction with the specific device corresponding to the first network element 310, for example, when the first network element 310 is a terminal, the second network element 320 is a server, and after the number of decryption or checking failures of the server exceeds the first threshold, the server interacts with the terminal, so, for a clearer understanding, the following specific embodiments are explained by using the terminal and the server:
further, the first message further includes a transmission type, different transmission types can be distinguished according to different data, and the transmission data corresponding to the different transmission types are also different, where the first network element 310 and the second network element 320 execute different operations based on the terminal or the server, which specifically includes the following operations:
(1) Specifically, when the first network element 310 is a terminal and the second network element 320 is a server, the terminal sends a first message to the server, if the transmission type is that of the message original, the terminal directly encrypts the message original through a session key to obtain a target ciphertext, and splices the target ciphertext into the first message to be sent to the server, and the server decrypts the target ciphertext through the session key to obtain the message original and sends the message original to a corresponding system service for execution; if the transmission type is that the confirmation character is sent, the terminal directly encrypts the confirmation character to obtain a target ciphertext, assembles the target ciphertext into a first message and sends the first message to the server, the server obtains the confirmation character after decrypting the confirmation character through the session key, and stops sending the reset command to the terminal. When the service end needs to execute the reset operation, the confirmation character will continuously send a reset command to the terminal until the service end receives the confirmation character sent by the terminal, so that the confirmation character is used for informing the service end that the terminal has completed the corresponding operation; if the transmission type is a retransmission command, the terminal sends a count value corresponding to the message requiring retransmission to the server.
Further, if the transmission type is a retransmission command, before the terminal sends the count value corresponding to the message requiring retransmission to the server, the method specifically includes the following operations:
specifically, when the first network element 310 is a server and the second network element 320 is a terminal, the first count value sent by the server is set as a downlink count value of the server, and the second count value in the terminal is set as a downlink count value of the terminal; when the first network element 310 is a terminal and the second network element 320 is a server, the first count value sent by the terminal is set as a terminal uplink count value, and the second count value in the server is set as a server downlink count value.
When the first network element 310 is a service end and the second network element 320 is a terminal, the service end sends a message to the terminal, the terminal obtains a service end downlink count value in the message and a terminal downlink count value, if the terminal judges that the service end downlink count value is greater than the terminal downlink count value, the terminal starts to execute retransmission operation, at this time, the terminal is equivalent to the first network element 310, the transmission type of data to be transmitted is a retransmission command, therefore, the terminal uplink count value is obtained, and it is noted that the count value is added by 1 after the terminal executes operation, that is, in practice, after the terminal is used as the first network element 310 to execute operation, the count value is added by 1, in this round, at this time, the terminal uplink count value and the uplink master control key are calculated to obtain a first session key, wherein the used uplink count value is the value added by 1 in the previous round of terminal, the terminal uses the first session key to encrypt the downlink count value as transmission data, and obtain a target ciphertext, and the terminal uses the first session key to encrypt the downlink count value as transmission data, and the first session key is obtained after the first session key is decrypted by the first session key and the first session key is received by the first terminal. At this time, the server becomes the first network element 310 again, the terminal is the second network element 320, the server encrypts the message to be retransmitted as transmission data by using the second session key to obtain a target ciphertext, and sends the target ciphertext to the terminal through a message, after receiving the target ciphertext, the terminal calculates the target ciphertext through its own terminal downlink count value and the master key to obtain the second session key, and decrypts the target ciphertext through the second session key to obtain the retransmitted message.
For a change in the count value therein, the following is exemplified: when the server side is used as the first network element 310, a message is sent to the terminal, at this time, the downlink count value of the server side in the message is A2, after the sending is successful, the downlink count value of the server side in the server side is updated to be a2+1, and after the terminal receives the message, the downlink count value of the server side is compared with the downlink count value of the terminal, the downlink count value of the server side is found to be greater than the downlink count value of the terminal B2, which indicates that when the server side sends the message to the terminal in the last round, the terminal does not send the message, or does not execute the message, thus the downlink count value of the server side in the server side is +1, the downlink count value of the terminal in the terminal is not changed, and thus the downlink count value of the server side is greater than the downlink count value of the terminal B2, after the terminal judges the result, the terminal wants to resend the corresponding message in the last round, that the count value of the terminal downlink count value B2 in the current terminal is the corresponding message in the server side, therefore the downlink count value of the terminal B2 is used as the message in the server side, the terminal is encrypted, after the terminal B2 is sent as the new count value of the terminal, the terminal is sent as the new count value, and the cipher key is required to be sent by the terminal, and the cipher key is obtained.
Based on SCP70 specification, the mutual authentication and data protection solution between the terminal and the server are realized. In authentication and data protection, a session key is obtained through calculation of the type, the count value and the master control key of the message, and the session key is used for encrypting and protecting data transmission. After the count value reaches a certain number of times, the reset terminal count value and the new session factor are requested to be issued so as to protect the symmetric key from being updated in time.
(2) Further, when the first network element 310 is a server and the second network element 320 is a terminal, the server sends a first message to the terminal, if the transmission type is that of the message original, the server directly encrypts the message original through the session key to obtain a target ciphertext, and splices the target ciphertext into the first message to send the first message to the terminal, and the terminal decrypts the target ciphertext through the session key to obtain the message original and performs a corresponding operation based on the content of the message original; if the transmission type is the confirmation character, the server encrypts the confirmation character as transmission data to obtain a target ciphertext, sends the target ciphertext to the terminal through a first message, decrypts the target ciphertext after the terminal receives the target ciphertext to obtain the confirmation character, and stops sending the message requiring retransmission; if the transmission type is a reset command, the server selects a new channel, acquires a new count value and a new master key in the channel, calculates the new master key as transmission data to obtain a target ciphertext through the first key based on the new count value and an old master key in the channel selected last time, acquires the target ciphertext, the new count value and a message check code as a first message and sends the first message to the terminal, the terminal calculates the first key according to the old master key and the new count value in the first message, decrypts the target ciphertext based on the first key to obtain the new master key, calculates the second key as a new session key based on the new master key and the new count value, encrypts a confirmation character as transmission data to obtain the target ciphertext through the session key, and sends the target ciphertext to the server through the message. It can be understood that after the server receives the acknowledgement character, the server stops sending the command for requesting the reset to the terminal. Generally, when the first network element 310 is a terminal and the second network element 320 is a server, the first count value of the terminal is greater than the second count value of the server, and the server triggers a reset command to execute a corresponding operation, so that the terminal resets the session key. The first time the terminal normally reports data, the server normally checks MAC (message check code) and decodes the data on the uplink data, but then the server compares the first count value of the terminal, if the first count value of the terminal is greater than the second count value of the server, the message is discarded, and the server issues a reset command to the terminal. When the server receives the uplink data of the terminal, the server always issues a reset command and skips the check at the moment when the terminal does not receive the response ACK (acknowledgement character) notification of successful reset.
In another embodiment, a symmetric key based data protection system performs the steps of:
the method comprises the steps that a first network element obtains channel information, wherein the channel information comprises a first count value and a master control key;
the first network element calculates a session key based on the first count value and the master key;
the first network element encrypts the transmission data through the session key to obtain a target ciphertext;
the first network element acquires the target ciphertext and the first count value as a first message and sends the first message to the second network element, wherein the first message is successfully sent each time, and the preset period value is reduced by 1;
the first network element judges whether the preset period value is 0, and if the preset period value is equal to 0, the channel information is acquired again, and the preset period value is reset to be a target value;
the second network element receives the first message sent by the first network element, decrypts the first message, and executes corresponding operation according to the decrypted data.
Referring to fig. 3, fig. 3 is a schematic diagram of a symmetric key-based data protection system according to an embodiment of the present invention, including a first network element 310 and a second network element 320:
a first network element 310, configured to obtain channel information, where the channel information includes a first count value and a master key; calculating based on the first count value and the master control key to obtain a session key; encrypting the transmission data through the session key to obtain a target ciphertext; acquiring a target ciphertext and a first count value as a first message and sending the first message to the second network element 320, so that the second network element 320 receives the first message and decrypts the first message, and executing corresponding operation according to decrypted data, wherein the preset period value is reduced by 1 each time the first message is successfully sent; judging whether the preset period value is 0, if so, reselecting the channel information, and resetting the preset period value as a target value.
The second network element 320 is configured to receive and decrypt the first message sent by the first network element 310, and perform a corresponding operation according to the decrypted data.
Referring to fig. 4, the embodiment provides an electronic device, which includes a processor and a memory coupled to the processor, wherein the memory stores program instructions executable by the processor, and the processor implements the target risk website detection method when executing the program instructions stored by the memory. The processor may also be referred to as a CPU (Centra l Process ing Un it ). The processor may be an integrated circuit chip having signal processing capabilities. The processor may also be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic, or discrete hardware components. The general purpose processor may be a microprocessor, or it may be any conventional processor or the like. The memory may include various components (e.g., machine readable media) including, but not limited to, random access memory components, read-only components, and any combination thereof. The memory 520 may also include: instructions (e.g., software) stored on one or more machine-readable media; the instruction implements the target risk website detection method in the above embodiment. The electronic device has the function of carrying and running a software system for target risk website detection provided by the embodiment of the invention, such as a personal computer (Persona l Computer, PC), a mobile phone, a smart phone, a personal digital assistant (Persona l Digita l Ass i stant, PDA), a wearable device, a palm computer PPC (Pocket PC), a tablet computer and the like.
Embodiments of the present invention also disclose a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions may be read from a computer-readable storage medium by a processor of a computer device, and executed by the processor, to cause the computer device to perform the methods shown in fig. 1 and 2.
In some alternative embodiments, the functions/acts noted in the block diagrams may occur out of the order noted in the operational illustrations. For example, two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Furthermore, the embodiments presented and described in the flowcharts of the present invention are provided by way of example in order to provide a more thorough understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is changed, and in which sub-operations described as part of a larger operation are performed independently.
Furthermore, while the invention is described in the context of functional modules, it should be appreciated that, unless otherwise indicated, one or more of the described functions and/or features may be integrated in a single physical device and/or software module or one or more functions and/or features may be implemented in separate physical devices or software modules. It will also be appreciated that a detailed discussion of the actual implementation of each module is not necessary to an understanding of the present invention. Rather, the actual implementation of the various functional modules in the apparatus disclosed herein will be apparent to those skilled in the art from consideration of their attributes, functions and internal relationships. Accordingly, one of ordinary skill in the art can implement the invention as set forth in the claims without undue experimentation. It is also to be understood that the specific concepts disclosed are merely illustrative and are not intended to be limiting upon the scope of the invention, which is to be defined in the appended claims and their full scope of equivalents.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the present invention have been shown and described, it will be understood by those of ordinary skill in the art that: many changes, modifications, substitutions and variations may be made to the embodiments without departing from the spirit and principles of the invention, the scope of which is defined by the claims and their equivalents.
While the preferred embodiment of the present invention has been described in detail, the present invention is not limited to the embodiments described above, and those skilled in the art can make various equivalent modifications or substitutions without departing from the spirit of the present invention, and these equivalent modifications or substitutions are included in the scope of the present invention as defined in the appended claims.
Claims (10)
1. A data protection method based on a symmetric key, which is applied to a first network element, comprising:
obtaining channel information, wherein the channel information comprises a first count value and a master control key;
calculating based on the first count value and the master control key to obtain a session key;
encrypting the transmission data through the session key to obtain a target ciphertext;
acquiring the target ciphertext and a first count value as a first message and sending the first message to a second network element, so that the second network element receives the first message and decrypts the first message, and executing corresponding operation according to decrypted data, wherein the first message is successfully sent each time, and the preset period value is reduced by 1;
judging whether the preset period value is 0, if so, re-acquiring the channel information, and resetting the preset period value to be a target value.
2. The symmetric-key-based data protection method according to claim 1, wherein after the target ciphertext and the first count value are obtained as the first message and sent to the second network element, the method further comprises:
and adjusting the first count value, and adding 1 to the first count value.
3. A data protection method based on a symmetric key, which is applied to a second network element, comprising:
and receiving and decrypting the first message sent by the first network element, and executing corresponding operation according to the decrypted data.
4. The symmetric-key-based data protection method according to claim 3, wherein the receiving the first message sent by the first network element and decrypting the first message, and executing the corresponding operation according to the decrypted data, further comprises:
receiving a first message sent by a first network element, and calculating based on a master control key and a first count value in the first message to obtain a session key;
and decrypting the target ciphertext in the first message through the session key, if the target ciphertext is successfully decrypted, acquiring a first count value and a second count value in the first message, and if the target ciphertext is successfully decrypted, executing corresponding operation according to the transmission data in the first message, and adding 1 to the second count value.
5. The symmetric-key-based data protection method according to claim 4, wherein the decrypting the target ciphertext in the first message by the session key further comprises:
if decryption fails, judging whether the failure times are greater than a first threshold value, and if so, discarding the first message;
if the first threshold is greater than or equal to the first threshold, performing a reset operation;
or alternatively, the process may be performed,
and if the message is greater than or equal to a first threshold value, receiving the message and executing corresponding operation, wherein the message is sent by the first network element.
6. The symmetric-key-based data protection method according to claim 4, wherein the obtaining the first count value and the second count value in the first packet is compared, and further comprising:
discarding the first message if the first count value is smaller than the second count value;
if the first count value is greater than or equal to the first count value, performing a reset operation;
or alternatively, the process may be performed,
and if the first count value is greater than or equal to the first count value, executing retransmission operation.
7. A symmetric key based data protection system, comprising:
the first network element is used for acquiring channel information, wherein the channel information comprises a first count value and a master control key; calculating based on the first count value and the master control key to obtain a session key; encrypting the transmission data through the session key to obtain a target ciphertext; acquiring the target ciphertext and a first count value as a first message and sending the first message to a second network element, so that the second network element receives the first message and decrypts the first message, and executing corresponding operation according to decrypted data, wherein the first message is successfully sent each time, and the preset period value is reduced by 1; judging whether the preset period value is 0, if so, reselecting the channel information, and resetting the preset period value to be a target value.
And the second network element is used for receiving the first message sent by the first network element, decrypting the first message and executing corresponding operation according to the decrypted data.
8. An electronic device comprising a processor and a memory;
the memory is used for storing programs;
the processor executing the program implements the method of any one of claims 1 to 6.
9. A computer-readable storage medium, characterized in that the storage medium stores a program that is executed by a processor to implement the method of any one of claims 1 to 6.
10. A computer program product comprising a computer program which, when executed by a processor, implements the method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211639614.5A CN116015830A (en) | 2022-12-20 | 2022-12-20 | Data protection method and system based on symmetric key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211639614.5A CN116015830A (en) | 2022-12-20 | 2022-12-20 | Data protection method and system based on symmetric key |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116015830A true CN116015830A (en) | 2023-04-25 |
Family
ID=86032699
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211639614.5A Pending CN116015830A (en) | 2022-12-20 | 2022-12-20 | Data protection method and system based on symmetric key |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116015830A (en) |
-
2022
- 2022-12-20 CN CN202211639614.5A patent/CN116015830A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112637836B (en) | Data processing method and device, electronic equipment and storage medium | |
| US9787663B2 (en) | Replaying a batch of secure commands in a secure channel | |
| US8688996B2 (en) | Multipad encryption | |
| CN111294203B (en) | Information transmission method | |
| US20200313879A1 (en) | Apparatus and method for quantum direct communication using single qubits | |
| CN110611670A (en) | API request encryption method and device | |
| CN107864129B (en) | Method and device for ensuring network data security | |
| KR20210153595A (en) | Encrypted data verification method | |
| CN111914291A (en) | Message processing method, device, equipment and storage medium | |
| CN112311769B (en) | Method, system, electronic device and medium for security authentication | |
| US9614820B2 (en) | Method and system for the manipulation-protected generation of a cryptographic key | |
| US11716367B2 (en) | Apparatus for monitoring multicast group | |
| WO2021109817A1 (en) | Key update method, data decryption method, and digital signature authentication method | |
| CN107343001B (en) | Data processing method and device | |
| CN116015830A (en) | Data protection method and system based on symmetric key | |
| GB2522096A (en) | Data encryption and decryption | |
| CN113489589A (en) | Data encryption and decryption method and device and electronic equipment | |
| CN111654731A (en) | Key information transmission method and device, electronic equipment and computer storage medium | |
| CN110602146A (en) | Data encryption and decryption method, readable storage medium and electronic equipment | |
| EP3163929B1 (en) | Preventing messaging attacks | |
| GB2365702A (en) | Mobile radio communication system | |
| KR20080030266A (en) | Service method for encryption of short message and apparatus thereof | |
| WO2018094594A1 (en) | Communication method and device | |
| KR100250457B1 (en) | Communication method between transmitter and receiver in internet protocol based network | |
| CN113852469B (en) | Method, device, equipment and readable storage medium for transmitting data between block chain nodes |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |